Tag: E-mail

For as long as phishing is a problem, I believe banks have got to rethink their Internet strategies.

In short, any email sent from a bank or other affected online institution leaves customers vulnerable.

For example: Citibank, one of the worst hit banks, still send out emails to their customers. Their Internet privacy page in Singapore, for example, says: “While Citibank does send email to our customers which contain links to our website, Citibank will never ask you for your PIN or other confidential information under any circumstances whatsoever.” This is not the point. Most phishing scams don’t ask directly for confidential information; some ask you to log onto the site to confirm such details, while others (a Citibank phish) warn of scams and urge you to log in to your account to check its status. Other phishing scams don’t even do that; they simply load a keylogger and wait for you to tap into the site in your own sweet time.

For sure, banks must contact customers, if only to warn them against phishing scams. But there are ways and means of doing this. If banks have to use email (what’s wrong with letters; presumably this was how banks communicated with their customers before?), they should be cut to a minimum, so as not to further confuse the customer.

And banks have got to think ahead. Phishing scams have grown in sophistication in a few short months, not just in their graphical mimicry of real banks, but in their technical approach (keyloggers) and in their social engineering tricks. For as long as this war escalates, banks must think hard about anything legitimate out on the Internet with their name on, and ask themselves whether it might be turned to a phisher’s advantage.

Banks should, for example, immediately abandon all marketing campaigns that use email: They are an invitation for creative phishers to exploit. One I received today, for example, is from a Singaporean company called ShareInvestor that alleges I am a member of its network (could be, but it must have been a long time ago, when I was still an Internet innocent.)

The email itself is a promotion for Citibank inviting me to “Book a new Premium Deposit with Citibank Online Treasury Services and enjoy a potentially higher interest rate on your money plus receive a S$10 Tangs shopping voucher for every US$10,000 invested**.” The email appears to be genuine (I had to check carefully and get someone smarter than I in such matters to check again), but I have to question Citibank’s wisdom in allowing these kind of promotions to carry on, particularly when their own website warns against phishing emails which “often look like the real thing and are hard to distinguish from a legitimate email or website.” Such promo emails from what are basically spammers (OK, email marketers) are just asking for trouble.

In this case, the link in the email takes you to a Citibank website and, after some blurb, tells you to call a number or visit a Citibank branch. So, no Internet transaction, which is definitely good. But what’s to stop a phisher mimicking the same ShareInvestor email and then luring someone to a Citibank-looking website, asking them to submit some personal data about, say their existing Internet account at another bank, and then directing them to the same Citibank website?

Think, Mr. Bank Manager, think. The phishing may only have just begun.

A second version SpamBully, a Bayesian filter based spam fighter, has been released.

SpamBully 2.0 integrates into Outlook and Outlook Express and introduces some new features:

Email blocked based on the language of the email or the country of origin;

A link analyzer looks for spam by following links in an email and analyzing the web pages. Realtime Blackhole List integration continually checks for domains that are responsible for sending spam and automatically filters them from the Inbox;

Users can choose words and phrases they wish to allow or block from their Inbox;

These sound like good features. It’s a shame the product doesn’t work outside the Outlook world, but for those within it, it sounds like it’s worth a try. SpamBully 2.0 is free to try for 14 days. Single user licenses cost $30.

Be careful what you put in your email auto response when you head off on holiday/maternity leave/business trip. Anyone can read it.

One of the the things that came out of Daniel McNamara’s travails at Code Fish was that, by having phishers put his name in the from field of one of their attacks he got swamped by bounce-back emails that didn’t reach their destination. This is part of the Internet email system where a server will return anything it can’t pass on.

But among those bounce-backs are emails from legitimate addresses where the recipients have automated some sort of response, usually stored on the server, that will send a message back to the sender, informing them they’re out of the office. It’s these emails that are a problem.

I haven’t heard it happening yet, but I’m sure it will. Daniel says a lot of those autoresponses contained a lot of surprising personal information that would be very handy to someone somewhere. Who to call, where that person will be, when they’ll be back. Daniel says some of the messages are surprisingly informative, ranging from the person’s full-name and workplace, through details of injuries incurred that are keeping the person in question at home, to companies using the autoresponse to notify senders that the person in question no longer works there, or, in some cases, has been “fired for misconduct”.

In these days of targetted phishing this is an invitation to social engineering of a high order. All a phisher would need to do is flood a company with emails, either guessing the email addresses, using a dictionary attack (where practically every word in the dictionary and English language is used) or else grabbing names from the company directory online. If a dozen people have autoresponds on, the information gained could easily facilitate a socially engineered attack on the company as a whole.

My advice: Assume that sleazy folk can read your autorespond messages and ask yourself whether you want to share that kind of information with them. Then either rewrite the autorespond message, or better still, don’t use one at all.

No. It is a real problem, if only because there’s still plenty of sleazy people figuring out new ways to ruin your day.

There’s some skepticism out there about this new spam threat: SPIM, in case you didn’t know, is spam that’s delivered, not to your inbox, but to your instant messaging chat program, like ICQ. Some folk say it’s a problem. Yankee Group, according to a recent report, estimates that currently five to eight percent of all instant messages are spam generated by automated bots. Others are more skeptical. Greg Cher on thespamweblog points out that he’s “been on all three of the major IM’s for at least years and have never…ever had a problem with ‘spim’.”

I was skeptical too, until I today saw these programs being peddled via PRWeb: ”ICQPromoter is a powerful tool for sending messages to thousands of Online or Offline ICQ users. Audience can be targeted by specific interests, country, city, occupation, age, gender or language.” The company behind this, Nanosoft Inc. of Milpitas, California, also offer:

Admessenger (“a feature-rich direct advertising program designed to deliver your messages directly to upto 2 Billion Windows 2000, XP, and NT desktops…It is like showing Banner Advertisement with paying a single penny”)

Yahoo Answering Machine (“Serves as Perfect Advertising Machine and Advertisement Machine. You can send Message in Room after Predefined time. Send PM to all users in Current Chat Room.”)

You get the idea. These programs will basically spam large numbers of people using chat messengers, or Yahoo chat rooms, all of them automated. What would be amusing if it weren’t so dumb is the fact that Nanosoft prominently display their “zero-tolerance policy” towards Spam. “If you have found this website due to spam, please let us know,” they say. Presumably that doesn’t include using the products they sell?

On closer inspection, Nanosoft have some other rather sleazy products on display. How about this for size: Shadow Pooper [sic], which will, unknown to the user, “periodically open new browser (in fullscreen mode) and load your ad page.” And just in case that’s not intrusive enough for you, “it also can change users Homepage in browser to any URL you choose.” Helpfully, the blurb says “All you need, is to force user install your application on his PC. Use your imagination. Advertise your application as free xxx-dialer, internet booster, etc… You can even include it in installation pack with other free software.” So now we know how spyware works.

Then there’s the problem that Google have come across: The way that advertising via pay-per-click can be abused. Nanosoft offer this: the Traffic Blaster/ URL Generator which will “allow you to generate a massive amount of traffic to any website you wish. Affiliate sites, Banner Sites, Exit Exchanges, and the list goes on and on.” To be honest, I’m not clear from the blurb exactly how this works. Definitely worth a closer look though.

Ironically, these are the same guys selling Popup blockers, chat encrypters, privacy protecters and evidence eliminators. Which brings me back to an earlier post on the question: How can you buy software to protect your privacy from folk you don’t trust? (And I couldn’t help noticing that Nanosoft don’t really trust their customers. This message appears on their website: “Because of the growing incidences of Internet fraud, we log everything and take it very seriously. All the fraudulent transactions will be reported to FBI’s Internet Fraud Complaint Center (IFCC).” Right.)

The email, spammed all around, pretends to be from him and says, Dear Online Banking User, You should be heard about such called interned scam, also called phishing – the activity, aimed to stole your personal details. Possibly you already seen letters, asking you to verify your personal bank account details, reactivate it, or to stop illegal payment…

It then goes on to say more information can be found at his website of that of the Australian Federal Police. Of course the links don’t go there, they go to a website that, for IE users, downloads a trojan, which (probably) installs a program to log keystrokes and mail passwords back to the originator.

The phishing email not only seeks to implicate Daniel by delivering a trojan with his name in the email, it also overloads his servers. Since the email spoofs his email as the return address, those emails that do not reach their destination bounce back to his inbox. He says he has had to turn off his email server because of the traffic.

Daniel has been at the forefront of recording and investigating the phishing phenomenon, and has clearly attracted the ire of those involved. He tells me he believes it’s the same people who left a hidden message in a recent phishing email directed at Westpac; the message implied somehow Daniel and Codefish were involved in the scam. Daniel believes he “really managed to nark them.”

This kind of thing shows that one guy like Daniel can make a difference, simply by cataloging phishing attacks, since he’s provoked their authors into what appears to be a somewhat inept attempt at revenge. It’s a shame more people aren’t doing this kind of sleuth work.

You’ve just purchased set of Maibach brand earthenware on web site cvv2.ruEasy to use, Maibach kitchenware is also famous for its modern look. Our utensils, designed for easy and fast cooking of a variety of foods, will lower your energy consumption rate and save your time and money.

It goes on to trumpet the quality of Maibach’s kitchenware before offering a bonus:

1. Sony VHS cassette with 240 minutes of best underage porno you ever see. (NTSC and Secam both are available)2. Bestselling manual “How to create plastic bomb in home” and “How to hijack a train or an aircraft, with color pictures and FAQ”

Needless to say, you might be somewhat alarmed by this. Did you buy some earthenware? Is someone using your credit card to buy earthenware? And what is a kitchenware manufacturer doing selling child pornography and bomb-making literature?

Well, it’s a puzzle. Mailbach does exist: It’s a Russian kitchenware manufacturer, and much of the blurb in the email comes direct from their website. The email looks as if it comes from a Russian ISP called RBC, and mentions in the header a website called CVV2.ru, which is a site for hackers and carders run by a guy called Don.

Daniel McNamara of Code Fish Spam Watch reckons it’s ”a fake email designed to get this carder site and its supporting network in trouble. We don’t think this has been sent out by any vigilante group and feel that it’s more likely that a rival carder gang is doing it in order to reduce competition. Our inboxes are simply victims of the crossfire in this turf war.”

Not everyone thinks the big boys are on the right track by pursuing spammers in the courts.

Postini, ‘the industry’s leading provider of email security and management for the enterprise’, says spam “cannot be solved by lawsuits and legislation alone”.

America Online, Microsoft, Earthlink and Yahoo announced on Wednesday that they had filed numerous civil lawsuits against spammers, charging them with violating the provisions of the two-month-old CAN-SPAM Act. Steve Kahan, corporate vice president for Postini, says, “We believe these law suits will only succeed against small unsophisticated spammers, while doing little to stop the overwhelming amount of spam clogging corporate America’s email boxes. We hope these lawsuits do not give people running email systems a false sense of security.”

Postini says that since CAN-SPAM it “has seen no reduction in the amount of spam directed at its customers”: 75-80% of all messages are spam, viruses and other malicious email. On March 3, Postini recorded its highest spam day ever, blocking 103,193,573 spam messages.

Of course, Postini would say all this. “We make sure our 2600 enterprise customers and ISP’s don’t have a spam problem,” says Kahan. “There’s no need for them to spend money suing spammers because we keep them totally protected.” But what about the rest of us, who don’t have an ISP willing to pony up for this kind of service?

That said, Postini are probably right about the lawsuits. Spam is processed outside the U.S. and other territories getting tough on spam. The only way to close down spammers, in my view, is to go after the people using their services. Spammers don’t sell the goods, they just market them.

Russia’s image as Spam (And Other Bad Stuff) Central is beginning to hurt.

CNET reports thats customers of high-speed Internet service provider Comcast were unable to email anyone in Russia for four days last week after the company’s spam filter blocked any emails to an address with the Russian suffix ‘ru’.

Although CNET called the block a malfunction, I can’t quite believe that. Russia is one of the main conduits for email spam, since most of its ISPs either turn a blind eye to spammers, or else collect fees for allowing the huge volume of spam to pass through their servers. Could a spam filter automatically exclude every email with a domain suffix? Or could someone have flicked a switch in frustration? And while the story only refers to outgoing email, what happened to email coming from Russia to Comcast customers?

CNET said that “Comcast implemented the filter to thwart spammers who were using the ISP’s servers to send spam with spoofed return addresses ending in .ru, which is the Russian top level domain.”

E-MAIL IS GOOD. Very good: Of all the things that started out with the Internet it’s about the only survivor (ever heard of Gopher? Archie? Telnet?). E-mail works because it’s simple. You send e-mail, you receive it: Two standards, or protocols. People communicating with each other, sending text, pictures, attachments, falling in love, arguing, writing columns. Looking back, nearly all of us must wonder how we managed without it.

But these days e-mail is looking a bit frayed around the edges. Virus writers have found that e-mail is the best way to spread their creations, forcing us to place blockades on our inbox to keep the nasty stuff at bay. Fake e-mails lure the unwary into giving up their bank-account passwords and PINs. Then there’s spam, which now accounts for more than half–sometimes a lot more than half–of all e-mail. The joy of e-mail has been tarnished by the realization that not everything that lands in our inbox is lovingly crafted by someone who has only good things in mind for us. Those days are gone. So what’s ahead?

Here are some tools to help folk worried by all this identity theft/fraud/phishing thang.

Protecteer LLC has today released SignupShield 2.0, an add-on for Microsoft’s Internet Explorer that, among other things “automatically creates a hard to guess password and a disposable email address, each time a user signs-up with a new Web site”.

It then automatically “fills up up sign-up forms, saves and tracks usage or change of passwords. When a user needs to provide sign-in credentials to a site, SignupShield does it automatically.” With the disposable email address that it automatically uses, “users can easily block any misbehaving sources of emails. Shielding is 100%, no false positives.” SignupShield is available for $29.95. A free, limited version is offered as well.

Then there’s Cloudmark’s Anti-Fraud, also out today, “the first free fraud prevention service for email users available today”. Cloudmark’s SpamNet uses real-time feedback from users, which has, the company says, “protected the SpamNet community from all email threats — viruses, worms, spam and even the most devious fraud messages — since the product was launched”. Cloudmark also uses a Rating program, an “email reputation system that fingerprints those messages sent by legitimate businesses and matches them at the end-user level, correctly allowing them through every time”. Taken together, the company says, the two “rebuild trust between companies and consumers, ensuring that the email from PayPal waiting for you in your inbox was positively sent by PayPal, Inc.

New users can download SpamNet for Outlook or Outlook Express and get free anti-spam and anti-fraud service for 30 days here. After the trial, the regular price is $4 per month, or $40 per year.